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CIF is a language designed for two purposes, namely as a specification language for hybrid systems 
and as an interchange format for allowing model transformations between other languages for hybrid 
systems. To facilitate the top-down development of a hybrid system and also to be able to express 
models more succinctly in the CIF formalism, we need a mechanism for stepwise refinement. In 
this paper, we add the notion of hierarchy to a subset of the CIF language, which we call hCIF^ . 
The semantic domain of the CIF formalism is a hybrid transition system, constructed using structural 
operational semantics. The goal of this paper is to present a semantics for hierarchy in such a way that 
only the SOS rules for atomic entities in hCIF^ are redesigned in comparison to CIF . Furthermore, to 
be able to reuse existing tools like simulators of the CIF language, a procedure to eliminate hierarchy 
from an automaton is given. 



1 Introduction 

Modeling languages for hybrid systems, and hybrid automata in particular, are designed to combine 
computational and physical aspects of a system in one formal model. The compositional interchange 
format (CIF), presented in |3, 14 1, is a hybrid modeling language based on hybrid automata [9|, but with 
the semantics defined via structural operational semantics (SOS) [12] rules. One of the primary aims of 
CIF is to establish inter-operability among a wide range of tools by means of model transformations to 
and from the CIF. In addition, it is possible to specify hybrid systems using CIF, and perform simulation. 
The reason for using an SOS semantics in an automaton-based framework is that the model transfor- 
mations to and from CIF are not only to be executed on 'complete' models, but also on components of 
bigger models. Thus, it is crucial that bisimulation (equivalence) is a congruence for all the constructs of 
the CIF. This is guaranteed using the process-tyft format of lITTI . 
The CIF language contains the following features. 

• Predicates in the locations of the automata that constrain the initial values and/or initial locations 
(init predicate), time behavior (invariants and time can progress predicates), and action behavior 
(invariants). 

• Communication among automata using channels and shared variables. 

• Scoping operators for declaring variables, actions, and channels. 

• An initialization operator for restricting the initial conditions of variables. This allows initialization 
on a more global level as compared to the init predicates of automata. 

• A synchronization operator for executing actions synchronously in parallel automata. 

• An urgency operator for declaring actions or channels as urgent. 

To facilitate the top-down development of a hybrid system in the CIF formalism we need a mechanism 
for stepwise refinement. In this work we develop such hierarchical extensions for a subset of CIF called 
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hCIF^ , in which we leave out the constructs for scoping, initialization, synchronization and urgency. 
Nevertheless, the semantics presented here is general enough to allow us to incorporate these concepts 
in a straightforward manner. In a later phase, we plan to extend hCIF^ to contain these constructs again. 
This requires us to already take into account some semantic features that are particular for the CIF (like 
the so-called variable trajectories, guard trajectories and termination trajectories that we discuss further 
on in this paper) while other features only appear in a reduced form (like the so-called environment 
transitions that are only used for establishing termination, and not for establishing consistency of a state). 

Stepwise refinement is a framework for designing a system correct by construction. The following 
steps are involved in the stepwise refinement framework as laid out in 11]. One starts with design of a 
system at a higher level of abstraction, and usually the model designed at this level is called an abstract 
model. Then a concrete model is designed by adding more behavior into the abstract model such that the 
concrete model is a refinement of the abstract model. This process of refining is performed until a desired 
implementation is reached. Thus, any formalism that supports stepwise refinement, must incorporate the 
following two main things. First, it should provide a way to add new details in an abstract model. 
Secondly, it should provide at-least sufficient conditions under which a concrete model is a refinement 
of a given abstract model by construction. In this paper, we consider only the first aspect of stepwise 
refinement. 

Consequently, we introduce a notion of hierarchy in hCIF^ that allows a straightforward way to 
add new behavior to a given model. In the past, the following techniques were proposed in order to 
accommodate stepwise refinement in other formalisms. 

• Action refinement ||T9l . In this approach an action in the alphabet of a process or an automaton 
is substituted by another process/automaton. However, the setting of action refinement is incom- 
patible with the interleaving models of concurrency as pointed out in 115 ). Since the CIF and 
hCIF^ formalisms are based on interleaving models of concurrency, we disregard this technique 
of refinement. 

• Statecharts [8|. Statecharts were the first formalism that extended finite state machines with the 
concept of hierarchy. Conventionally, the semantics of statecharts requires a tree-structure on 
the set of locations of a statechart. Consequently, additional concepts from tree-structures, like 
least common ancestors, children of a location, etc., make the semantics complicated. We show 
in the current work that these additional concepts are unnecessary when reverting to a structural 
operational semantics. We only need to introduce the notion of a substructure. Other concepts of 
state-structures, like AND-states and OR-states, can be expressed through the parallel composition 
and the multiple initial locations of substructures, respectively. The concepts of history retention 
and inter-level transitions (not considered in this paper) are not supported directly in hCIF'^ , but 
they can be emulated. 

• Hierarchical timed automata |6, Chap 4.] are the extensions of statecharts with a finite set of clock 
variables modeling real time. Again the semantics of this formalism is based on the concepts of 
tree structures and for this reason we also disregard this approach. However, there is a common 
intuition about the passage of time in f6l with the current work. The time can pass in a hierar- 
chical structure only if the time can pass in all the levels of hierarchy, i.e. time transitions must 
synchronise in all the levels of hierarchy of a hierarchical automaton. 

• State refinement operator ifTSl . State refinement is a binary operator on process algebraic processes 
written as p[q] where p, q are arbitrary process terms. Informally, it means that /? is a state with the 
substructure q. In other words, a location of an automaton is allowed to contain another automaton 
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representing its substructure. Furtliermore, it was also stated (15] that the above way of introducing 
hierarchy is compatible with the interleaving models of concurrency. Thus, the present work is 
motivated by the work carried out in 1.15.1 . even though the basic entity in our formalism is an 
automaton rather than an action. 

The semantics of the hCIF^ formalism is a hybrid transition system (HTS) lH constructed using 
structural operational semantics (SOS) il2|. The goal of this paper is to show how the semantics of hier- 
archical automata can be defined using SOS rules, in a compositional way. We do so without introducing 
the complexity of state tree structures in the formalism, and in such a way that the semantics of other CIF 
operators remain unaffected. As an additional result, we define an algorithm for eliminating hierarchy, 
which enable us to reuse existing tools for implementing an hCIF^ simulator. 

The remainder of this paper is organized as follows. First, the subset of CIF , which is extended with 
hierarchy, is presented in Section [2l Once the basic concepts are introduced. Section [3] introduces the 
syntactical extensions that are needed to add support for hierarchy in CIF , and we discuss the design- 
decisions that led to such extensions. The formal semantics of hCIF^ is presented in SectionlH where we 
illustrate how the concept of hierarchy can be defined in a compositional and recursive way. In Section|5l 
we give a procedure to eliminate the hierarchy from a hCIF^ model. Finally, in Section[6]we make some 
conclusive remarks and discuss future work. 

2 Introduction to CIF 

This section presents the syntax and semantics of a subset of CIF [3], because presenting the full syntax 
and semantics would distract too much from the message of the paper. Still, we have included all the 
aspects of the CIF that were involved in the design-decisions we made when defining hierarchy. 

As was mentioned in the introduction, the CIF language is based on hybrid automata, which model a 
combination of computational and physical behavior of a system by mixing automata theory with the the- 
ory of algebraic differential equations. A key feature of the CIF is that it provides a structural operational 
semantics for such atomic (hybrid) automata, which makes the definition of more complex composi- 
tions of automata easier. The only compositions defined in this paper will be parallel composition and 
hierarchy, but in lO many more are described. 

Informally, a basic CIF automaton is shown in Figure [T] that models the dynamics of a thermostat in 
a room. This thermostat can be in one of two computational states. It is either off, or on. This is reflected 
by the two circles (called locations) labeled Off and On. Next to the label, the locations also contain 
equations (called time-can-progress predicates or tcp-predicates) that model the physical behavior of the 
system while it is in this computational state. In our example, the temperature T will behave according to 
the differential equation T = — T + 15 when the thermostat is off and according to T = — T + 25 when the 
thermostat is on. The dotted version of variables, like T in the example, are used for modeling derivatives. 
The execution of a calculation generally results in a change of location, which is modeled by an arrow 
(called edge) from one location to another. Edges are labeled by actions (in our example switch-on and 
switch-off) that may be used to synchronize the behavior of automata in a composition (not shown here). 
Furthermore, they contain a predicate (called guard) that determines under which condition an action 
can be executed, and a predicate (called reset) that determines whether there is a change in any of the 
model variables. In case of the thermostat, the switch-on action can only be executed if the temperature 
T is lower than 20, and the action results in a change of the variable « to « + 1 , which counts the number 
of times the thermostat is switched on. Notation is used to refer to the value of n after the execution of 
the action. The guard n < 1000 disables the switch-off action, modeling that the thermostat breaks down 
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after a thousand switches and leaves the room hot. Every location contains an initialization predicate, 
which determines whether execution can start in that location. In the example, initially the thermostat 
is switched off, the temperature in the room is T = 25 and the counter is set to « = 0. This is modeled 
by an incoming edge in the Off location without any origin, labeled by the predicate T = 25 A « = 0. 
The absence of incoming arrows on location Off denotes that the initialization predicate is false (which 
means that execution cannot start on that location). 

Formally, the locations of an atomic CIF automata are taken from the set Actions belong to 
the set £/. We distinguish the following types of variables: regular variables, denoted by the set ^; 
the dotted versions of those variables, which belong to the set ^ = {i | a; G Y}; and step variables, 
which belong to the set {x+ | ;c G ^ U y}. Furthermore, the variables can be classified according their 
continuous evolution (i.e. how their values change during time delays). In particular, we distinguish 
between discrete variables {n in the previous example), whose values remain constant during time delays, 
and the value of their dotted versions are always 0; and continuous variables (T in the previous example), 
whose values evolve as a continuous function of time during delays, and whose dotted versions represent 
their derivatives. Variables are constrained by differential algebraic equations and we implement them 
as predicates. The values of the variables belong to the set A that contains, among else, the sets B, M, 
and C. Guards, tcp and initiahzation predicates, and reset predicates are taken from the sets ^g, ^t, and 
^r, respectively. 

The exact syntax and semantics of predicates are left as a parameter of our theory, as we are not 
interested in the computational aspects of CIF in this paper. In the examples presented here, and in the 
tool implementations of CIF, ^g, J^t, and are terms of the language of predicate logic 113], where 
for I^g and the variables are taken from the set Y U Y, and for the variables are taken from the 

set r u r u {x+ I X G r u r}. 

Given these preliminaries, an atomic automaton can be defined as follows. 

Definition 2.1 (Atomic automaton). An atomic automaton is a tuple (V, init, tcp,^) with a set of locations 
V C initial and time-can-progress predicates init, tcp : V — > ; and a set of edges E CV x J^g x 

We use symbol ^ to refer to the set of all atomic automata. Atomic automata, as the one shown be- 
fore, can be used to build more complex models by using the parallel composition operator. CIF includes 
more operators, but we do not discuss them in this paper. Throughout this work, we use the term com- 
position to refer either to an atomic automata, or to a parallel composition of automata, which is denoted 
as p \\ q, for compositions p and q, where the set 5 C j?/ is the set of actions that must be executed 
synchronously in both automata. The set ^ contains all hCIF^ compositions, and is formally defined in 
Section [3] 

It is not possible to present the formal semantics of CIF in this paper due to the lack of space. 
However, if an automaton has no hierarchy (i.e. no location contains a composition), the rules presented 
here match those of CIF . 

After introducing the base language, we are ready to show how it can be extended with hierarchy. 




Figure 1 : A model of thermostat. 



46 



Hierarchical states in the Compositional Interchange Format 



3 Adding hierarchy to GIF 

In this section, we show the syntactical extensions that are needed for adding hierarchy to CIF , explaining 
why every new element is required according to the design-decisions we have taken. 

An automaton is said to be hierarchical if it contains a composition in at least one of its locations. 
Extending CIF with hierarchy is easy to achieve with the addition of a hierarchy function h to the 
elements of an automaton, such that h{v) returns the composition contained in v, which we refer to as 
substructure. We find this hierarchy function to be more suitable for the automata theoretic framework of 
CIF than the state refinement operator ifTSll . which was conceived for process algebraic setting. This is 
because, unlike in process algebra, the development of the CIF is aimed at modeling convenience rather 
than at finding the smallest representation of a given construct. 

As an example, suppose we want to extend the model of the thermostat presented in Figured! so that 
it is only switched off after a certain time has elapsed (which allows the room to be heated up). Having 
hierarchy, a refined model of the thermostat can be elaborated as in Figure [2l We define the hierarchy 
function h such that Off ^ dom(/z); and h{On) returns the automaton shown at the bottom in Figured 
which initially sets up a clock c (continuous variable), and it waits until the timer expires A < c (where 
< A) to generate the event done. 




Figure 2: Hierarchical model of the thermostat. 



An important thing to note about the substructure in figure |2l is that one of the states contains an 
outgoing arrow that leads nowhere. The predicate on this arrow is called a termination predicate and it 
is taken, just like tcp and initialization predicates, from the set S^i. 

Termination predicates were not part of the atomic automata of CIF before, even though they are 
common in the general theory of automata. Our reason for adding them is that we need a mechanism 
to decide when a substructure hands over the control of the execution flow to the superstate to which it 
belongs. 

In most hierarchical formalisms, such as |[T6l and ifTOl . the actions enabled in the super- automaton 
are executed regardless of the state of the substructure. The example in Figure [2l however, illustrates that 
a more general approach, in which the substructure has control over the superstructure, may be useful. 
The example actually uses the fact that the substructure has control over the superstructure to restrict the 
behavior of the thermostat in such a way that it is forced to stay in the On location for a certain time. The 
termination mechanism that we have chosen, originates from our desire to be able to (partially) translate 
sequential function charts HI to CIF In that formalism, termination is used as the standard mechanism 
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to pass control from one chart to the next. 

Another mechanism that we need when deaUng with hierarchy, is a way to keep track of the so-called 
active location that an automaton is in. Admittedly, the active location of an automaton is a semantic 
concept, used to keep track of the current state when describing the dynamics of an automaton, and it 
does not belong in a section describing the syntax. However, in the structured operational semantics of 
the CIF, the states are formed by pairs of syntactic descriptions and valuations of variables (see section |4] 
for details), and our solution that deals with the semantic problem of keeping track of the active location, 
makes use of an auxiliary syntactic construct that one should not use while modeling, but that formally 
is part of the syntax of CIF. 

In the non-hierarchical CIF, the active location of an automaton is fully determined by its initial- 
ization predicate. As a result, a state-change in the semantics is modeled by changing this initializa- 
tion predicate. In the hierarchical CIF, however, changing the initialization predicates of a substructure 
means changing the hierarchy function h, and this causes so-called history retention; i.e. if a substructure 
is terminated and the automaton gets back to it later, the substructure will restart where it was ended 
previously, because h is still in its altered form. From the example in Figure |2j one can see that this is 
not always desirable. History retention in that example, would make that the thermostat is only forced to 
linger in the On state the first time it is entered. In subsequent visits, the substructure would already be 
in its terminating state immediately. 

The semantics we would like to give to hierarchical CIF, is that a substructure is restarted every time 
from one of its (original) initial states. Our solution for the history retention problem, is to introduce an 
auxiliary composition operator p : a which should be read as a is currently in the substructure p. Here, 
p is an arbitrary composite automaton and a is an atomic hierarchical automaton. Next, the initialization 
predicate of a can be used to model the active location of the super-automaton a, while the initialization 
predicate(s) of (the components) p are used to model the active location of the active substructure. We 
found that the use of this auxiliary operator greatly simplifies the structured operational semantics of 
hierarchical CIF. 

Now that we have informally introduced all the syntactic elements needed for extending CIF with 
hierarchy, we define the syntax of hierarchical automata as follows. 

Definition 3.1. An atomic hierarchical hybrid automaton is a tuple {V, init, tcp, E, term, h) where, 
{V, init, tcp, E) is an atomic CIF automaton, term : V — )• ^ is a function that associate to each loca- 
tion a predicate describing the conditions under which a location is final, and h : V ^ is a. (partial) 
hierarchy function that maps each location with a composite automaton. The set of composite automata 
in hCIF^ is recursively defined by the following grammar 'rf ::= a : a 

Henceforth, we use Greek letters a and a' to indicate an atomic hierarchical hybrid automaton and 
Roman letters p, q, p', and q' to indicate any composite automaton in ^. 

4 Formal semantics of hCIF^ 

In this section we illustrate how the concept of hierarchy can be defined in a compositional way, with- 
out introducing additional concepts of tree-structures present in the statechart IH formalism. First, the 
semantic framework is set up, and then the SOS rules are presented. 

The semantics of hCIF^ compositions (and CIF ) is given in terms of SOS rules, which induce hybrid 
transition systems (HTS) [5J. The states of the HTS are of the form (p, cj), where S is a composition 
and a:'^U^— ^■Aisa function, called valuation, which assigns values to the variables. Valuations 
capture the phenomenon of discrete change in the values of variables caused by the execution of actions 
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in an automaton. We denote the set of all valuations as Z. There are three kind of transition in the HTS, 
namely, action transitions, environment transitions, and time transitions. We describe them in detail 
next. 

Action transition are of the form {p, o) — > {p' , o'), and they model the execution of action a by 
process p in an initial valuation a, which changes process p into p' and results in a valuation a'. 

b 

Environment transitions are of the form {p, a) (/?', a'), and in the full CIF language, they are 
used to model which possible behavior of the environment is consistent with that of the composition p, 
but cannot be executed by the component itself. In the restricted language hCIF^ , the function of the 
environment transitions is to indicate that a composition p can initialize to become a composition p' in 
which an active location is fixed for each (active) substructure. Furthermore, the boolean b indicates 
whether the initialized substructure can terminate, and thus give back the control over actions to their 
environment. 

Time transitions are of the form {p, o) ^^^-f {p', o'), and they model the passage of time in composi- 
tion p, in an initial valuation a, which results in a composition p' and valuation a'. The relation between 
p and p' is the same as for environment transitions. Function p : T — >^ £ is called variable trajectory, 
and it models the evolution of variables during the time delay. For each time point s € dom(p), and 
for each variable x ^ Y U "V , the function application p{s){x) yields the value of variable x at time s. 
Function : T — )■ 2'^ is called guard trajectory, and it models the evolution of enabled actions during 
time delays. For each time point s € dom(0), the function application Q{s) yields the set of enabled 
actions of composition p at time s. Lastly, function (O is called termination trajectory, and it models the 
evolution of termination during time delays: for each time point s G dom(ft)), composition p' is termi- 
nating at time s if and only if (o{s). For all time transition dom(p) = [0, t], for some time point f G T, 
and dom(p) = dom(0) = dom(G)). 

Guard trajectories were shown to be necessary for the definition of urgency and variable abstraction 
in CIF and other hybrid formalisms Hllll. Termination trajectories allow us to keep track of the possi- 
bility of termination over time, and they are essential for constructing the guard trajectories in the rules. 
Even though these concepts are not necessary for giving semantics to hCIF^ , they allow us to solve the 
problem of supporting urgency and variable abstraction in a hierarchical setting, and thus our approach 
can be extended to the whole CIF without modifying the rules. 

Even though predicates are abstract entities, we assume that there is a satisfaction relation a |= e is 
defined, which expresses that predicate e G U !3^g U l3^r is satisfied (i.e. it is true) in valuation o. For 
predicate logic, this relation can be defined in a standard way (see fT3l for example). For a valuation cr, 
we define a+ = {(v+,c) | (v, c) G a}. 

Definition 14 . II formalizes the hybrid transition system induced by the SOS rules presented in the next 
sections. 

Definition 4.1. A hybrid transition system (HTS) is a six-tuple of the form [Q, , — >, i — >, — ->) where, 

2 = ^ X £, ->C e X i;/ X e, I — e X ((T ^ £) X (T ^ 2-^) x (T ^ B)) x Q, and --^C 2 x B x 

4.1 Hierarchical hybrid automaton 

In this section, we give semantics to hierarchical hybrid automata. We use notation a to refer to an 
atomic automaton (V, init, tcp, £", term, /j), and a[v] to refer to the automaton (V, id,., tcp, £", term, /j), 
where idv(w) = v = w. 

In absence of hierarchy, an atomic automaton a can perform an action in a location v and initial 
valuation a if there is an edge (v, g, a, r, v') such that the following conditions hold: 
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1. Location v is active (a \= init(v)). 

2. Guard g holds (a \= g). 

3. It is possible to find a new valuation o' such that the reset predicate is satisfied in valuation a U o'^ 
(a U o'^ \= r). We do not write o' \= r since, in general, r refers to the next values of variables, 



/+ 



which are contained in o 

The above conditions are summarized in the term a, a' \=a (v,g, a,r, v'), which is syntactically equivalent 
to condition (v, g,a,r,v') e E Aa \= init(v) A a \= g A (7'+ U a \= r . 

Rule [U describes what is semantically involved with the addition of hierarchy. Firstly, it is necessary 

to check that the substructure of the initial location, if any, is terminating (condition (/i(v), a) — -> {p, a) V 
V ^ dom(/j)). Finally, after the action is performed, the substructure in the target location, if present, must 
be initiahzed (condition {a, a) {q : oc[v'], o')). Note that the choice of selecting active locations of 
substructure h{v') is made upon entering location v'. Example [T] illustrates this phenomenon, which we 
call eager choice. 

a, a' iv,g,a,r,v'), ({h{v),o) (/7,a) Vv dom(/z)V 



v' G dom(/j), (/j(v'), a') --^ {q, a') 



(a, o) {q : a[v'],a') 

Example 1. Consider the composite automaton shown in Figure |3a] in which the tcp function gives 
the predicate true for all the vertices of the automaton. The idea behind eager choice, is that after the 
execution of the action a, an initial state of the substructure is picked immediately. This can only result in 
the left state of the substructure to be picked, because of the value of x is set to 1 during the execution of a. 
Hence, the action c in the substructure will never be executed. The resulting transition system generated 
by the SOS is shown in Figure [3bJ where the states are depicted as circles and their components are not 
shown. End of Example. 



x = i 



true : a : {.v-+ = 1 ) 



x = 0. 



(a) 



*0 



o 



o 



(b) 



Figure 3: (a) Automaton with two possible initial states, (b) Resulting HTS 



Rule [T] requires as a condition that there is an active substructure in the target location v' e dom(/j). 
If this is not the case then no active substructure is prefixed to a[v], as expressed by Rule[2l 

0,0' \=a {v,g,a,r,v'), V ^dom(/j), 

f (/j(v), a) --^ (p, a) V V dom(/j)') 

^ -a (2) 

(a, a) A (a[v'], a') 
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In a hierarchical setting, actions in an automaton can be generated by the substructure of an active 
location. Rule [3] formalizes this. Note that in the conclusion, : a [v] reflects the fact that an initial 
location is chosen in a hierarchical structure if the substructure performs an action. 



a ^init(v),v e domjh), {h{v),o) A {p,o') 
{a, a) A {p : a[v],a') 

In CIF , a time delay is possible in an active location v if there exists a trajectory p such that the tcp 
predicate is satisfied in [0, t). Henceforth, we will use t, p \=a (init(v), tcp(v)) as an abbreviation of the 
predicate p(0) ^ init(v) A dom(p) = [0,t] AO < t A^s e [0,t).[p{s) \= tcp(v)] . 

For time delays, in hCIF'^ the substructure must perform a time transition with the same trajectory, 
and we consider conjunction of all the tcp predicates of all the active locations of an automaton. In this 
way time passes in an automaton, and also in all of its contained substructures. This is, an automaton and 
its substructure synchronize in the time delays. In the complete extension of CIF with hierarchy, a similar 
approach is taken for invariants. Rule |4] models this, where dom(ft)) = dom(p), dom(0) = dom(p), 
V,ve[o,f]-«W = Ms) A p{s) \= term(v), and V,e[o.,].0(5) = 0oW U {a \ {v,g,a,r,v') £ E A p{s) ^ 
g A (Oo{s)}. The guard trajectory d as well as the termination trajectory (O are constructed by using the 
corresponding trajectories generated by the time transition in the substructure. 

We found that this approach is the simple and intuitive: substructures are part of the whole structure, 
and it is strange from the modeling point of view to have a system in which time can "freeze" for certain 
parts of the system. Furthermore, since there are several active locations in different levels of hierarchy, 
it is not clear which one to choose to perform the time delays. The example of the thermostat with 
hierarchy, depicted in Figure |2l shows the convenience of this decision, since we want the clock to 
advance while the room heats up. 



t,p K (init(v),tcp(v)), {h{v),p{0)) {p,p{t)) 
{a,p{0))'^ {p:a[v],p{t)) 

The following example illustrates the need for having termination trajectories to capture properly the 
set of enabled actions during time delays. 

Example 2. Consider the automaton shown in Figure|4a]and assume 1 < < ■ Then the set of enabled 
actions at the active location will depend on the function and this set is illustrated in Figure |4bl In 
other words, if < x < In(fco) then the set of enabled actions is {a}. If In(fco) < x < In(^i) then the set 
of enabled actions is {a, b}. And if x > ln(^i ) then the set of enabled actions is {a}. End of Example. 




Figure 4: Illustration of the dependence of enabled actions over time. 
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Rule[5]deals with the case when an initial location v does not contain a substructure, where dom(«) = 
dom(p), dom(0) = dom(p) and Vjg[o,,].ft)(s) = p{s) \= term(v), and V^.£[o,f].0(5) = {a \ {v,g,a,r,v') G 
EAp{s)^g} . 

t,p \=a (init(v),tcp(v)), v dom(/i) 

(a,p(0))^A"(a[v],pW) 

In CIF , if an automaton performs an environment transition then an unique active location is chosen. 
When hierarchy is incorporated, the substructure is initialized as well. This is expressed by Rule |6] The 
initialized composition p becomes the active substructure of a[v], and the automaton is terminating if 
the location and the active substructure are. Rule|7]deals with the case where there is no substructure. 



g ^init(v),(/i(v),a) --^ {p,a') a ^ init(v), v dom(/i) 

(a, a) --■> {p:a[v],a) (a, a) (a[v],a) 

4.2 Automaton postfix operator 

We now define the SOS rules for the automaton postfix operator, which helps in defining the overall 
behavior of a hierarchical automaton. 

Intuitively, the composition p : a means that composition p is the active substructure of some initial 
location v £V in the automaton a. Note, that whenever the automaton postfix is only used as an auxiliary 
operator, this initial location will always be uniquely specified. 

If we now look at the structure of a state {p, o) in the hybrid transition system, it becomes clear 
how the postfix operator helps us to mimick the state-tree structures used in the semantics of statecharts 
im. Figure [5] shows that a composition p in essence is a tree, where the postfix operator represents the 
edges of the tree and the parallel compositions represents the branching. The root of this tree is the active 
location of the automaton we described, while the leaves are the active substructures where the control 
over actions currently hes. Indeed, an informal comparison of our semantics to that of statecharts suggest 
that that the AND-superstates of statecharts are represented as (asynchronous) parallel compositions jja, 
while OR-superstates are represented by having multiple locations for which the initialization predicate 
holds. 

Oo 



{{pi ■ oci) II {P2 ■ 0C2)) : Oo 



Pi Pi 

Figure 5 : Relation between automaton postfix operator and state tree structures 



The semantics of : a is reminiscent of the sequential composition of untimed process algebra, 
i.e. the composite automaton p in p : a will perform action transitions until it is terminating, after that 
the automaton a can perform its action transitions. The difference between the sequential composition 
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operator and the automaton postfix operator is due to the difference in the passage of time caused by these 
operators. In the automaton postfix operator, the passage of time is synchronized between the first and 
second component, whereas in sequential composition the passage of time is not synchronized. There 
the second component waits for termination of the first, in a similar way as with action transitions. 

All the rules presented here are similar to the those presented in the previous section. The difference 
lies in that in the rules of this section function h is not considered, since there is an active substructure p 
in the target state of every transitions appearing in the conclusions. Rule [8] models the action transition 
when the substructure is terminating. 

\=a {v,8,a,r,v'),{p,(j) -'^ jp' ,o), {h{v'), a') --^ {q,a') 
{p : a,a) A (^7 : a[v'],a') 

Rule |9] also models the action transition generated from a postfix operator when the substructure is 
terminating and the target location v' does not contain a substructure. Rule[TO]models the action transition 
which is a result of the execution of the substructure. 



<y,(y' ha {v,8,a,r,v'),{p,a) {p',(j),v' ^domjh) {p, a) A {g, a') ^^^^ 

{p : a, a) A (a[v'], a') {p : a, a) A (<7 : a, a') 

Finally, Rule [TT] models the passage of time in an automaton postfix such that the timed transitions 
are synchronized in every level of hierarchy p : a, where, dom(ft)) = dom(p), dom(0) = dom(p) and 

V,e[o,f].w(5) = COois) A p{s) h term(v), and V,e[o,,].e(s) = do{s) U {a \ {v,g,a,r,v) G £ A p{s) \= 
gA0X){s)}. 

t,p K (init(v),tcp(v)),(;.,p(0)) {p\p{t)) ^^^^ 

{p:a,piO))'^ {p':a[v],pit)) 
Rule [12] models the execution of environment transition in an automaton postfix. 

„2) 



{p : a, a) {p : a[v],a) 



4.3 Parallel composition operator 

The parallel composition operator allows synchronisation of equally labeled action transitions between 
any two components that are specified by the synchronisation set S C £/. Rule [13] models this fact. 

{p,a) A {p',o'), {q,o) A {q',o'),a € S 

{p lis q,o} ^ {p Wsq ,o) 
{q \\s p,<y) A {q \\s p',o') 

Rule [14] models the interleaving of action transitions that do not belong to the synchronisation set S. 
Note the presence of environment transition in the premise of the following rule. This allows the other 
component (which does not perform an action transition, in the following case q) to get initialised. 
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b 

{p,a) A {p',a'),{q,a) -> {q',a'),a^S ^^^^ 

{p \\sg,(y) ^ {p' \\sq',(y') 
{q \\s p,(y) W \\s p',(y') 

In a paiallel composition, time can pass it is can pass in each component individually, as it can 
be seen in Rule [El where € [0,t].[doi{s) = (dais) D di{s)) U {dQ{s)\S) U (61(5) \S)], and G 
[0, f].[cooi(s) = (Oo{s) A (Oi{s)]. The guard trajectory is constructed (same as in CIF) from the guard 
trajectories of the composite automata interleaving in the parallel composition: at a given time point 
s, an action is enabled in the parallel composition p ||s g if it is enabled in p and q (regardless of 
whether the action is in S), or if it is enabled in p or q and is not synchronizing in the other component. 
The termination trajectory in the parallel composition at a given time point s is the conjunction of the 
termination trajectories of the respective components at the same time instant s. 

{p,pm'^{p',p{t)),{q,Pm {q',p{t)) ^^^^ 

{p Wsq^pm'-'^' ip' \\sq',p{t)) 

{q\\sp,p{0))''f!^' {q' \\sp',p{t)) 

The initialization of a parallel composition (Rule [161 ) is the initialization of its components. The 
termination predicate in the parallel composition is the conjunction of the termination predicates of the 
respective components. 

{p, a) {p, a'), {q, a) --'^ {g, a') 
KP h — ^ \P lis <? ) 

4.4 Stateless bisimulation 

It is clear from the definition of a HTS (Definition 14.11) that a state in a transition system consists of a 
process part (a behavioural entity) and a data part (valuation). Furthermore, we know that the stateless 
bisimulation is the most robust equivalence for the transition systems whose states contains data |[TT|. 
This subsection shows that the semantics of hCIF^ is compositional with respect to stateless bisimulation 
ifm . i.e. stateless bisimulation is a congruence for all operators of hCIF^ . 

Definition 4.2. A symmetric relation /? C ^ x ^ is called a stateless bisimulation ifTTI relation iff the 
following transfer conditions hold. 

• V/?, p', a, a', a, q. {p, o) 4 (/?', a') A{p,q) eR^ 3q'. [{q, o) 4 {q\ o') A {p\ q') G R] 

• yp,p',O,o',p,d,(0,q.\^{p,a)1^ {p',o') A{p,q) eR^3q'.[{q,a)& {q' , a') A {p' , q') e 
R]] . 

• yp, p', a,a',b,q. {p, a) --^ {p', a') A{p,q) eR^ 3q'. [{q, a) --^ {q', a') A q') G R] 

Two composite automata p, ^ are said to be stateless bisimilar (denoted p o, ^ q) iff there exists a stateless 
bisimulation relation R such that {p,q) G R. 
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Theorem 4.3. Stateless bisimulation is a congruence for all the constructs o/hCIF^ . 

Proof. The SOS rules of hCIF'^ are in the process-tyft format, which guarantees the congruence for 
stateless bisimilarity ifTTI . □ 

5 Elimination of hierarchy 

In this section, we present a technique that converts a hierarchical automaton into an automaton in which 
the hierarchical function h is empty, such that they are stateless bisimilar. Such techniques in general, 
are known as linearization or elimination of operators flTl. The advantage of flattening a hierarchical 
automaton is that it allows the reuse of existing tools like simulators of the CIF language, which are only 
developed for flat automata. 

Definition 5.1. The depth D{p) of an composite automaton /? G is recursively defined to be the 1 
+ niax^,g(jonj(;,) D{h{v)) when is a hierarchical automaton of the form (V, init, tcp, E, term, h), and is 
defined as max(D(^), D(r)) whenever p = q \\s r. An automaton is called well founded whenever its 
depth is defined. An automaton of depth 1 (i.e. with dom(/i) = 0) is also called nflat automaton. 

Suppose that we have a procedure S that turns any composition of flat automata into a stateless 
bisimilar flat automaton. In particular, suppose that S{a \\s cc') _o,^. a \\s a' whenever a and a' are flat 
automata. Then, we can lift this procedure to any well-founded composite automaton p £ 'rf,by first 
applying it to all components of p before applying it to p itself. We define <S'{p \\s q) = S'{S'{p) \\s <S'{q)) 
and (f((V', init, tcp, £, term, /?)) = (^((y, init, tcp, term, /j)) with h{v) = (S'{h{v)), for any p, q and 
(V, init, tcp, £, term, /z) of depth greater than 2. Structural induction on the depth of the composite 
automaton, combined with the congruence obtained in theorem 1431 then gives us ^{p) ±±sP for all 
well-founded composite automata p. 

Such a procedure is already known for all the usual operations of the CIF||7|, and next, we will give 
it for hierarchical automata. 

Definition 5.2. Let a G 'if be an automaton of depth 2 of the form iV, init, tcp, £, term, h), such that h{v) 
is a flat automaton for all v G dom(/j). We define (?{a) = (V , init, tcp, £, term, 0) where, 

• The set V of locations of the flat automaton (a) is defined by: 

yA\\\( \ (v dom(/j) A w = ±) V 1 
v^l (/i(v) = (V, init', tcp', term', 0) Aw G V) J 

• The predicate-functions □, with □ G {init, tcp, term}, are defined for each v G V by: 

□ (v), ifv = (v,±) 



□ (v 



□ (v) A □'(w), if (v = (v,^) A/t(v) = (V, init', tcp', £", term', 0) Aw G V 



The edges (vo, g', a, ?"', vi ) of the flat automaton S (a) are present (i.e. (vo, g', ^J, vi ) G £') iff one 
of the following conditions hold: 

1. vo = (vo,wo) Avi = (vi,wi) for some vo,vi G V such that /z(vi) = (V/,initJ,tcpJ,£'-,term-,0), 
Wi G l/.',for / G {0, 1} and 

(vo,g,a,r,vi) G£Ag'= (term()(wo) A A r' = (r A init'i(wi)+) . 

Note that if wq = -L (wi = _L) then by defining termQ(wo) = true (initj(wi) = true) we get 
definitions for the simpler cases derived from the above one. 
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2. vq = (v, Wo) A vi = (v, vvi) for some vq £V such that 

h{v) = (V',init',tcp',£'',term',0) A wo,wi £V' A {wq, g' ,a,r' ,wi) G E' . 

Figure [6] shows the resulting automaton after applying the Unearization procedure to the thermostat 
model extended with a clock (Figure |2]|. 




Figure 6: A flat model of thermostat with clock. 



Next we prove the correctness of our linearization procedure as defined in Definition l5.2l 

Theorem 5.3. Let a ^'W be an automaton of depth 2 of the form {V, init, tcp, E, term, h), such that h{v) 
is aflat automaton for all v G dom(/i), then a o ^ S[a). 

Proof. Fix a = (o{a) = (V, init, tcp, £, term, 0). It is rather straightforward but tedious to verify that the 
relation/? = {(a, a), (a[v], a[(v, _L)]) , (/i(v)[w] : a[v], a[(v, w)]) | v e V A (v,w) G V}, is a witnessing 
stateless bisimulation. □ 

6 Conclusions 

In this paper we illustrated how to add hierarchy to a subset of the CIF (called hCIF^ ) in a compositional 
way, and we showed that the SOS rules of atomic entities can be modified without altering the rules of 
the CIF operators. Moreover, the rules are formulated in such a way that the addition of concepts such 
as urgency and invariants can be incorporated easily without altering the rules presented here. However, 
the usability of hCIF^ is not yet investigated and the plan is to evaluate it by performing industrial case- 
studies within the context of the MULTIFORM project [ 1 1 after extending it with the remaining operators 
of the CIF. A procedure to eliminate hierarchy was given in order to be able to use the existing tools 
associated with CIF. Note that Definition 15 .21 presented here is a relatively inefficient one to implement. 
It can be further optimized, for example, by disallowing the edges in the set E that are never executed for 
any valuation. 

As ongoing work, we are researching a branching version of stateless bisimulation for hybrid tran- 
sition systems in order to handle T action as 'invisible'. Using such a notion, it becomes possible to 
formalize when a stepwise refinement is a correct refinement of an abstract model. Thus we can attack 
the second aspect of stepwise refinement mentioned in the introduction. 
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